In 2018, the dominant ransomware-attack precursor was phishing. In 2026, it is the stealer log. The shift has happened quietly in industry breach data over the past four years, and it has reshaped the economics of intrusion to the point where most security teams are still defending against an older threat model.
The pipeline from infostealer infection to ransomware deployment now runs in days, not months. Understanding it is now essential to understanding modern ransomware itself.
The pipeline, in stages
Stage one: infection. A user, typically on a personal device, often outside corporate visibility, runs malware. The vector is unremarkable: a cracked Photoshop installer, a fake game cheat, a malicious npm package, a phishing attachment. Within minutes the infostealer (Lumma, RedLine successor, Vidar, Stealc, etc.) has extracted every saved password, every browser cookie, every authenticated session token from the device.
Stage two: collection. The malware operator aggregates logs from all their active infections, typically thousands per day for a mid-size operator. Each log is a ZIP of stolen data plus a fingerprint manifest.
Stage three: bulk sale or filtered resale. Logs flow into Telegram channels and underground forum marketplaces. Most are sold to bulk buyers at a few dollars apiece. A specialised tier of brokers buys these in volume and filters them, looking for logs that contain credentials for high-value targets: corporate VPN concentrators, cloud admin consoles, banking, MSP tooling, hypervisor management.
Stage four: access broker. The filtered logs reach Initial Access Brokers (IABs), the specialised intermediaries who connect raw access to the ransomware affiliates who actually run intrusions. An IAB might pay $50-500 for a log containing a Citrix session cookie for a $50M-revenue manufacturing company; they will resell that access to a ransomware affiliate for $5,000-20,000 depending on demonstrated reach.
Stage five: ransomware affiliate. The affiliate replays the session cookie, reaches the company’s network, and runs a multi-week intrusion ending in encryption and extortion. From the affiliate’s perspective, the foothold cost a few thousand dollars and required no phishing, no exploit, no zero-day. Just credential replay.
Total elapsed time from initial infostealer infection to ransom note: as little as 7-14 days, occasionally faster. Industry data from Coveware, Sophos, and Mandiant all show this compression year-over-year.
Why session cookies matter more than passwords
The single most important technical detail: stealer logs contain active authenticated session cookies, not just passwords. This bypasses MFA entirely.
Consider how MFA works. The user logs in, completes the second factor, and the application issues a session cookie. From that point on, the cookie is the credential, the application no longer asks for password or MFA, it just checks the cookie’s signature and expiry. Sessions typically last hours to weeks.
When a stealer extracts the cookie, the attacker can replay it from any device. Modern applications often check IP geolocation and browser fingerprint as additional signals, but these can usually be matched (the IP is residential by default, the User-Agent is in the log) or worked around. Once replayed, the attacker is inside, fully authenticated, with no MFA challenge.
The Citrix Bleed-style vulnerabilities that dominated 2023 incident reports operated on the same principle: stolen session tokens replayed to bypass authentication. The difference is that infostealer-derived sessions don’t require a vulnerability, they require infection on any single device the user logs in from.
Documented incidents
The most prominent ransomware incidents of recent years have stealer-log precursors when investigators look closely. A representative sample from public reporting:
- Change Healthcare (2024). Initial access via Citrix portal lacking MFA. The credentials used originated from a stealer log containing the employee’s saved Citrix password, never used in a phishing attack.
- Multiple MSP compromises through 2023-2024. Affiliates of LockBit, BlackCat, Akira, and Play repeatedly entered through stolen credentials for ConnectWise, Kaseya, NinjaOne, and similar MSP platforms. Public IR reports cite stealer-log origins.
- Several US state and municipal incidents. Logs containing employee credentials for Active Directory or Microsoft 365 sold to access brokers, replayed weeks later.
Industry breach reports from IBM X-Force, Mandiant M-Trends, and Sophos’s State of Ransomware all now list "valid credentials" or "compromised credentials" as the leading initial-access category, displacing phishing. The credentials in question are predominantly stealer-log-derived.
The defensive implications
Five things every security team should be doing in 2026:
1. Continuous credential-leak monitoring. Services like Hudson Rock, SpyCloud, IntelX, NordStellar, and Stealercheck (forthcoming) monitor stealer-log markets for credentials matching your domain. The window between theft and exploitation is days; visibility into this window is the difference between rotating credentials before they are used and explaining to the board why you got ransomed.
2. Aggressive session lifetimes. Default 24-hour or 7-day session cookies in business-critical SaaS make the cookie-replay window much wider than it needs to be. Reduce to 8 hours for high-value applications, with re-authentication on sensitive actions. Combine with continuous-evaluation features (Microsoft’s Continuous Access Evaluation, Okta’s Universal Logout) so revoked tokens take effect immediately.
3. Conditional access on device posture. Block sessions from unmanaged devices for sensitive applications. A stealer log captures the session from one device, but if the application requires the device to be enrolled in your management, the replay fails.
4. BYOD reckoning. The "use your personal device for work email and SaaS" pattern that ballooned during COVID is the single largest enabler of stealer-log exploitation. Either provide managed devices, or accept that personal devices need at minimum browser isolation, EDR, and continuous credential monitoring, and even then, they remain the weak link.
5. Treat password-manager exports with extreme paranoia. When a user exports their saved passwords from Chrome to migrate to 1Password or Bitwarden, that export file sits on disk. A stealer infects the device a week later and grabs it. Train users to delete export files immediately and never store them in cloud-synced folders.
The credential-theft economy is now the most consequential single threat to corporate networks, and the most overlooked by traditional defensive thinking. The cost-benefit asymmetry, $5 to buy, $5M to clean up the resulting ransom, is among the worst the industry has ever produced. Closing that gap is the work of the next decade.